From: Katy Feng <fkaty@vmware.com>
Date: Tue, 22 Aug 2023 18:11:41 +0000 (-0700)
Subject: Introduce the new CAP_HOST_VERIFIED_SAML_TOKEN capability.
X-Git-Tag: stable-12.3.0~61
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb771586d88bd46fc38853b4f63cc01262a168b1;p=thirdparty%2Fopen-vm-tools.git

Introduce the new CAP_HOST_VERIFIED_SAML_TOKEN capability.
---

diff --git a/open-vm-tools/lib/include/vmware/guestrpc/capabilities.h b/open-vm-tools/lib/include/vmware/guestrpc/capabilities.h
index c502ad45c..53b86b231 100644
--- a/open-vm-tools/lib/include/vmware/guestrpc/capabilities.h
+++ b/open-vm-tools/lib/include/vmware/guestrpc/capabilities.h
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (c) 2008-2017,2020-2021 VMware, Inc. All rights reserved.
+ * Copyright (c) 2008-2017,2020-2021, 2023 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -26,6 +26,7 @@
 #ifndef _GUEST_CAPS_H_
 #define _GUEST_CAPS_H_
 
+/* clang-format off */
 /*
  * Guest capabilities.
  * The guest uses this enum to communicate whether a certain
@@ -79,6 +80,7 @@ typedef enum {
    CAP_GUESTSTORE_UPGRADE               = 34, // supports tools upgrade from GuestStore
    CAP_DEVICE_HELPER                    = 35, // supports tools device helper for Windows guests
    CAP_VMBACKUP_NVME                    = 36, // supports NVMe for vmbackup
+   CAP_HOST_VERIFIED_SAML_TOKEN         = 37, // supports host verification of SAML tokens
 } GuestCapabilities;
 
 typedef struct {
@@ -102,7 +104,6 @@ typedef struct {
  * If you change these strings, make sure you also change the
  *  vmdb schema, since these strings are used as vmdb keys.
  */
-// clang-format off
 static GuestCapElem guestCapTable[] = {
    { UNITY_CAP_START_MENU,                 UNITY_CAP_VMDB_PATH, "startmenu" },
    { UNITY_CAP_VIRTUAL_DESK,               UNITY_CAP_VMDB_PATH, "virtualdesk" },
@@ -145,6 +146,7 @@ static GuestCapElem guestCapTable[] = {
    { CAP_GUESTSTORE_UPGRADE,               NULL,                NULL },
    { CAP_DEVICE_HELPER,                    NULL,                NULL },
    { CAP_VMBACKUP_NVME,                    NULL,                NULL },
+   { CAP_HOST_VERIFIED_SAML_TOKEN,         NULL,                NULL },
 };
 // clang-format on
 
diff --git a/open-vm-tools/services/plugins/vix/vixPlugin.c b/open-vm-tools/services/plugins/vix/vixPlugin.c
index aecfd5e7c..1a28b955a 100644
--- a/open-vm-tools/services/plugins/vix/vixPlugin.c
+++ b/open-vm-tools/services/plugins/vix/vixPlugin.c
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (C) 2008-2019 VMware, Inc. All rights reserved.
+ * Copyright (c) 2008-2019, 2023 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -75,6 +75,8 @@ VixShutdown(gpointer src,
 }
 
 
+
+
 /**
  * Returns the registration data for either the guestd or userd process.
  *
@@ -103,7 +105,7 @@ ToolsOnLoad(ToolsAppCtx *ctx)
          ToolsDaemonTcloMountHGFS, NULL, NULL, NULL, 0 },
    };
    ToolsPluginSignalCb sigs[] = {
-      { TOOLS_CORE_SIG_SHUTDOWN, VixShutdown, &regData }
+      { TOOLS_CORE_SIG_SHUTDOWN, VixShutdown, &regData },
    };
    ToolsAppReg regs[] = {
       { TOOLS_APP_GUESTRPC, VMTools_WrapArray(rpcs, sizeof *rpcs, ARRAYSIZE(rpcs)) },
diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
index 76860a23f..021ec93ba 100644
--- a/open-vm-tools/services/plugins/vix/vixTools.c
+++ b/open-vm-tools/services/plugins/vix/vixTools.c
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (c) 2007-2022 VMware, Inc. All rights reserved.
+ * Copyright (c) 2007-2023 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -8295,7 +8295,8 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr,         // IN
       }
 
 #if SUPPORT_VGAUTH
-      else if (VIX_USER_CREDENTIAL_SAML_BEARER_TOKEN == credentialType) {
+      else if ((VIX_USER_CREDENTIAL_SAML_BEARER_TOKEN == credentialType)
+         ) {
          if (GuestAuthEnabled()) {
             err = GuestAuthSAMLAuthenticateAndImpersonate(obfuscatedNamePassword,
                                                           loadUserProfile,
@@ -11996,8 +11997,7 @@ GuestAuthSAMLAuthenticateAndImpersonate(
    vgErr = VGAuth_ValidateSamlBearerToken(ctx,
                                           token,
                                           username,
-                                          0,
-                                          NULL,
+                                          0, NULL,
                                           &newHandle);
 #if ALLOW_LOCAL_SYSTEM_IMPERSONATION_BYPASS
    /*